tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Steve G. Johnson" <>
Subject Re: SSLv3/TLS man-in-middle vulnerability
Date Tue, 19 Jan 2010 07:31:11 GMT
Since we do not know how to "switch connectors", or install OpenSSL, and do
not have JDK on the server (only JRE 1.6.0_17), then I suppose the best bet
is to wait until Tomcat is fixed ("coming soon").

Steve Johnson (619) 237-8315 P Please consider the environment before
printing this e-mail.

             Mark Thomas                                                   
             >                                                          To 
                                       Tomcat Users List                   
             01/18/2010 09:19          <>           
             AM                                                         cc 
             Please respond to         Re: SSLv3/TLS man-in-middle         
               "Tomcat Users           vulnerability                       

Caterpillar: Confidential Green                 Retain Until: 02/17/2010

On 18/01/2010 11:03, Steve G. Johnson wrote:
> We recently installed Tomcat 5.5.23 in Windows server to support the
> WebUI (webtop) application.
> We installed a cerificate and are using SSl on port 8443. This all works
> fine.
> The local IT Security team ran an HP "Web Inspect" and it showed a High
> vulnerability for SSLv3/TLS known as CVE-2009-3555.
> We are running JVM JRE 1.6.0._17 on the server.
> You state on the site at end of
> page that this is not a vulnerability depending on a number of factors.
> This is very unclear tor us.
> The Web Inspect product sated that this must be fixed as follows:
> "
> Patches must be applied to the underlying web server and ssl library.
> OpenSSL Patch:
> Apache Mod-SSL Patch:
> /CVE-2009-3555-2.2.patch
> These patches may cause issues with sites that require renegotiation.
> (Sites requiring public HTTPS access with certain folders
> protected by client-side certificates)
> "
> What can we do to make the vulnerability shown in Web Inspect go away?

You have a couple of options, depending on which connector you are using.

BIO & NIO connectors
 - use JSSE for SSL
 - JSSE is provided by the JDK
 - a fix will require a fix the JDK - talk to your JDK vendor
 - the next 6.0.x release (coming soon) will contain a workaround

APR/native connector
 - uses OpenSSL for SSL
 - OpenSSL is provided by the OpenSSL project
 - a fix requires a fix in OpenSSL
 - APR/native 1.1.19 includes a workaround for this issue

Right now, the quickest way to fix this is to switch to the APR/native
connector and use 1.1.19


To unsubscribe, e-mail:
For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message